No bone to pick with any financial site that is intelligent enough to
understand the risk involved when using java. My financial sites do NOT
use java. None of my systems have any java runtimes installed.
For some history on why I refuse to allow java on my systems ...
in February 05 I contacted Sun and inquired as to the security risk of
leaving older, vulnerable versions on a system when a 'new' runtime was
pushed out. They admitted that it was a security risk and did NOTHING
about it until just recently. Do the math. How many systems were exposed
to a vulnerability that Sun KNEW existed for over 3 years ?
Every one of their Security bulletins has this at the end of them,
neatly hidden from Users who visit java.com that were totally unaware of
WHY the older, vulnerable versions should be uninstalled:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-244987-1
Note: When installing a new version of the product from a source other than a Solaris patch, it is
recommended that the old affected versions be removed from your system. To remove old affected
versions on the Windows platform, please see:
http://java.com/en/download/help/uninstall_java.xml
I've seen 6 or more JSE's installed on clients' systems. Heck, on one
client's system there were 10 RUNTIMES installed. At 115 MB each, that's
a HUGE amount of disk space being wasted, isn't it ?
I'm not the only one that has been ranting about Sun and their updating
mechanism:
Ghosts of Java Haunt Users
http://blog.washingtonpost.com/securityfix/2008/07/remnant_java_versions_again_po.html
Check out that article, please. Brian Krebs has been on this for as long
as I have.
If another vendor ignored their own SECURITY suggestions, refused to fix
their auto updating mechanism, then I'd be flaming them, too ... trust me.
Now, as to Microsoft's decision to include the MSN toolbar with newer
versions of Sun's java runtime ... MS has made a tremendous improvement
as to security in their software and OS'. It appears that they are
willing to go backwards in regards to security when they include the MSN
toolbar as an OPT-OUT when a newer JRE is pushed out that, in reality,
is a SECURITY update that addresses known vulnerabilities in the
previous runtimes. I'd venture an educated guess that 99% of newer
runtimes came out to address Critical vulns.
This will affect Users who are under the impression that anything MS
offers 'should be installed'. I've seen this first hand on clients'
systems when they installed what was purported to be a security update
from a 3rd party vendor that included unnecessary crap ... like Adobe
trying to sneak the Google toolbar along with Shockwave security
updates. The clients' were more then annoyed and became reticent to
install subsquent updates for Flash and Shockwave. Guess what happened
to them eventually ?
All it will take is for Users to get peeved about the installation of an
unnecessary toolbar, or, for something to go wrong during installation
of a JSE that causes serious issues.
Then Users will become reticent when their systems are offered Security
updates from Automatic or Windows Update.
There's enough FUD concerning updating already; does MS really need to
stoke the 'tin foil' crowd ?
So, in effect, MS is stating that ad revenue trumps security.
Sorry, that irks me to no end. I've made my feelings known to them but
.... I have a strong suspicion that Marketing trumps Security these days.
So, I'm not keeping my thoughts to myself any longer and want others to
know WHY including toolbars and other crap along with SECURITY updates
is a shortsighted and counterproductive practice.
Cabiche, Leonard ?
MowGreen [MVP 2003-2009]
===============
*343-* FDNY
Never Forgotten
================
Leonard said:
I don't like pre-checked opt-in boxes any more than you, but I wonder
why you happen to pick on Java, when this practice is widespread among
software providers, and why particularly Java-employing websites,
especially financial websites.
Sounds like you have a bone to pick with an unnamed Java-employing
financial website, and because of that I should avoid software that has
served me well for years?
---
Leonard Grey
Errare humanum est
Beware of the *opt-out* behavior of Sun's java automatic updater. In
the US, at least, the MSN toolbar comes PREchecked [opt-out] and will
install along with purported java 'security' updates. Said 'security'
updates are presented as the latest version of Sun's java runtime.
Including crappy toolbars with security updates as an opt-out is a
REALLY dumb, shortsighted decision.
Shame on MS for doing so.
As to Sun's java, who needs it ?
If a site requires java, then avoid it like the plague.
*Especially* any site that does financial transactions.
MowGreen [MVP 2003-2009]
===============
*-343-* FDNY
Never Forgotten
===============